On Nov 10, 2003, at 8:13 AM, Jeff Foster wrote:
This may be a pcap issue,
It is.
but when I capture with the 'Any' interface
on my linux box I only see broadcast traffic or traffic that has the
IP address of the linux box.
I have the "Promiscuous mode" enabled.
I suspect that "Promiscusous" doesn't apply to the 'Any' interface.
You are correct.
To quote the libpcap man page:
promisc specifies if the interface is to be put into promiscuous mode.
(Note that even if this parameter is false, the interface could well be
in promiscuous mode for some other reason.) For now, this doesn't work
on the "any" device; if an argument of "any" or NULL is supplied, the
promisc flag is ignored.
It will probably continue to be "now" until somebody contributes to
tcpdump.org code to enumerate all the devices on the system and put
them all into promiscuous mode; capturing on all devices is easy (you
just don't bind the PF_PACKET socket to a specific device), but putting
all those devices into promiscuous mode is not (and if you're on a
system that has interfaces dynamically added and removed, note that if
an interface is added, the "any" device will return packets on them,
but wouldn't magically put the interface into promiscuous mode).
